@jbrowse/plugin-dotplot-view

JBrowse 2 dotplot view

Supply chain provenance

Status for the latest visible version.

SLSA provenance attestation npm registry signatures No source commit

Maintainers

garrettjstevensrbuelscmdcolin

Keywords

jbrowsejbrowse2

Accepted risks

Findings the reviewer chose to accept rather than block on.

Source	Rule	Reason	Accepted by	When
provenance	publisher-changed	AI (provenance): JBrowse monorepo migrated to GitHub Actions CI publishing; SLSA attestation confirms legitimate pipeline.	ai	2026/05/26
maintainer-change	maintainer-removed	AI (maintainer-change): Maintainer consolidation consistent with migration to automated CI publishing for the JBrowse monorepo.	ai	2026/05/26
provenance	missing-githead	AI (provenance): CI/CD pipeline change explains missing gitHead; SLSA provenance attestation provides equivalent supply chain integrity.	ai	2026/05/26
publish-pattern	new-deps-added	AI (publish-pattern): file-saver-es and @jbrowse/mobx-state-tree are established packages replacing prior equivalents; not suspicious for this package.	ai	2026/05/21
phantom-deps	phantom-dep:@types/file-saver	AI (phantom-deps): Type-only package; framework-scoped, not directly imported by convention.	ai	2026/05/17
phantom-deps	phantom-dep:rxjs	AI (phantom-deps): rxjs is a declared runtime dep used transitively in JBrowse plugins; phantom-dep heuristic false positive.	ai	2026/05/17
phantom-deps	phantom-dep:@types/file-saver-es	AI (phantom-deps): Type-only package used as a dev/type dep in a TS project; not a real phantom dep concern.	ai	2026/05/17

Versions (showing 23 of 23)

Version	Deps	Published
4.3.0	10 / 0	2026-05-21
4.2.1	10 / 0	2026-04-27
4.2.0	10 / 0	2026-04-16
4.1.15	10 / 0	2026-04-02
4.1.14	10 / 0	2026-03-08
4.1.13	10 / 0	2026-02-19
4.1.12	10 / 0	2026-02-19
4.1.11	10 / 0	2026-02-19
4.1.10	10 / 0	2026-02-19
4.1.9	10 / 0	2026-02-19
4.1.8	10 / 0	2026-02-19
4.1.7	10 / 0	2026-02-18
4.1.6	10 / 0	2026-02-18
4.1.5	10 / 0	2026-02-18
4.1.4	10 / 0	2026-02-18
4.1.3	10 / 0	2026-01-27
4.1.1	10 / 0	2026-01-22
4.0.4	10 / 0	2026-01-17
4.0.3	10 / 0	2026-01-10
4.0.2	10 / 0	2026-01-10
4.0.1	10 / 0	2026-01-10
4.0.0	10 / 0	2026-01-10
3.7.0	12 / 0	2025-11-07

v4.3.0

2 findings

HIGH Publisher changed: cmdcolin → GitHub Actions (on 2026-05-21) provenance

This version was published by a different npm account than previous versions on 2026-05-21. This could indicate a legitimate maintainer transition or an account compromise.

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v4.2.1

3 findings

HIGH Missing gitHead — previous versions had it provenance

This version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: GitHub Actions.

HIGH Publisher changed: cmdcolin → GitHub Actions (on 2026-04-27) provenance

This version was published by a different npm account than previous versions on 2026-04-27. This could indicate a legitimate maintainer transition or an account compromise.

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v4.2.0

3 findings

HIGH Missing gitHead — previous versions had it provenance

This version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: GitHub Actions.

HIGH Publisher changed: cmdcolin → GitHub Actions (on 2026-04-16) provenance

This version was published by a different npm account than previous versions on 2026-04-16. This could indicate a legitimate maintainer transition or an account compromise.

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.